Alias /ui /usr/share/ipsilon/ui
Alias /.well-known /etc/ipsilon/wellknown
WSGIScriptAlias / /usr/libexec/ipsilon
WSGIPassAuthorization On
WSGIDaemonProcess ipsilon user=ipsilon group=ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
WSGIImportScript /usr/libexec/ipsilon process-group=ipsilon application-group=ipsilon


<Location />
    WSGIProcessGroup ipsilon
</Location>

<Location /login/gssapi/negotiate>
    AuthName "GSSAPI Single Sign On Login"
{% if env == "staging" %}
    GssapiCredStore keytab:/etc/krb5.HTTP_id.stg.fedoraproject.org.keytab
{% else %}
    GssapiCredStore keytab:/etc/krb5.HTTP_id.fedoraproject.org.keytab
{% endif %}
    AuthType GSSAPI
    # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
    GssapiSSLonly Off
    GssapiLocalName on
    Require valid-user
    ErrorDocument 401 /login/gssapi/unauthorized
    ErrorDocument 500 /login/gssapi/failed
</Location>

<Directory /usr/libexec>
    Require all granted
</Directory>

<Directory /usr/share/ipsilon>
    Require all granted
</Directory>

<Directory /etc/ipsilon/wellknown>
    Require all granted
</Directory>
<Location /.well-known/browserid>
    ForceType application/json
</Location>
